跳到主要内容

Proof Key

Proof Key is a protocol that allows users to verify their identity on-chain. Imagine that a user has an online identity linked to a private soul-bound token (SBT), which is an NFT that cannot be transferred. We refer to the private SBT as a zkSBT. To prove their identity, they would need to:

  1. Show the zkSBT has been minted to their zkAddress.
  2. Show they have spending rights to that zkAddress.

Transaction Data

In order to perform the first step, let us recall how a zkAsset (in this case, a zkSBT) is encoded in a UTXO

  • UTXO=commit(zkSBT,zkAddress,salt)UTXO = \textsf{commit}(zkSBT, zkAddress, salt)

which is then posted on-chain. The salt is a randomly generated quantity used to prevent UTXO duplication: if the same zkAsset sent to the same zkAddress generated the same UTXO, that would compromise privacy.

Therefore, to prove that a certain zkAddress owns a zkSBT, it is enough to give the verifier the zkSBT data, namely the AssetID and AssetValue (which is always 1 for NFTs/SBTs) and the salt used to encode the UTXO. The verifier would then reconstruct the UTXO with these data and cross-reference it with the blockchain.

Identity Proof

In order to perform the second step, the verifier will send the prover a challenge, namely a virtual zkAsset with some salt. The prover will then create a UTXO to their zkAddress encoding this zkAsset with the provided salt and generate a virtual (i.e. off-chain) ToPublic transaction reclaiming it. The public outputs of this virtual transaction and the ZKP are then sent to the verifier.

The verifier checks the transaction output as follows:

  1. The output has a valid signature.
  2. The output has a valid ZKP.
  3. The output is consistent with the provided zkAsset and salt.

Only the owner of the spending key to that zkAddress would be able to generate such a virtual ToPublic transaction, therefore this is enough to prove ownership of a zkAddress.

No gas fees!

Even though the first step involves checking some on-chain data, neither the prover nor the verifier post any transactions there. This means that both steps of the Proof Key protocol happen off-chain, sparing the user of any gas fees!